Skip to content

Instantly share code, notes, and snippets.

@KaoRz
Last active December 24, 2018 00:21
Show Gist options
  • Save KaoRz/c85952e6584597fe03ba782bd95d177d to your computer and use it in GitHub Desktop.
Save KaoRz/c85952e6584597fe03ba782bd95d177d to your computer and use it in GitHub Desktop.
Write-up: El Ninja Contrarreloj - CTF SecAdmin 2018 (Reversing Challenge)
#include <stdio.h>
#include <unistd.h>
#include <pthread.h>
#include <string.h>
#include "solver.h"
char *msg = "secadmin{THISISATESTX}"; // The flag has "secadmin{}" format (22 chars)
char j[64]; // .bss:0000000000004160 ; char j[64]
int tiempo = 0; // .bss:000000000000414C tiempo
const char s[] = {0x91, 0x87, 0xEE, 0xEC, 0x2C, 0x25, 0x21, 0x0E, 0x1B, 0xA5, 0xC0, 0x9C,
0x2E, 0x42, 0xFD, 0xBF, 0x93, 0x96, 0xC1, 0xCE, 0xC6, 0xDF};
const char t[] = {0x74, 0x5A, 0x1B, 0x67, 0xDE, 0x34, 0xf6, 0x34, 0x67, 0x5A, 0x8B, 0x74,
0x5A, 0x1B, 0x67, 0xDE, 0x34, 0xF6, 0x34, 0x67, 0x5A, 0x8B, 0x31, 0x3B,
0x36, 0x30, 0x2C, 0x03, 0x3F, 0x66, 0x24, 0x08, 0x66, 0x24, 0x08, 0x39,
0x67, 0x23, 0x08, 0x24, 0x36, 0x39, 0x64, 0x2A, 0x54};
// char x[22]; // Debug array
void *timer() {
while(1) {
usleep(1000000);
++tiempo;
printf("-------------- Timer thread --------------\n");
printf("TIEMPO: %d\n", tiempo);
printf("------------------------------------------\n\n");
}
}
void *tr1() {
char v1;
int i;
for(i = 0; i < strlen(msg); ++i) { // strlen(msg) must be equal to 22
v1 = msg[i];
j[i] = v1 ^ strlen(msg);
printf("--------------- tr1 thread ---------------\n");
printf("V1(msg: '%c'): 0x%02x\n", v1,v1);
printf("J[I] (First) --> 0x%02x ^ 0x16(22) = 0x%02x\n", v1, j[i]);
printf("------------------------------------------\n\n");
usleep(200000);
}
}
void *tr2() {
int i;
for (i = 0; i < strlen(msg); ++i) {
usleep(400000);
printf("--------------- tr2 thread ---------------\n");
printf("J[I] (Provisional) --> 0x%02x\n", j[i]);
j[i] ^= t[2 * tiempo] ^ 0x80;
// x[i] = t[2 * tiempo]; // Debug array
printf("TIEMPO: %d\n", tiempo);
printf("J[I] (Definitive) --> 0x%02x ^ 0x80 => 0x%02x\n", t[2 * tiempo], j[i]);
printf("------------------------------------------\n\n");
}
}
void challenge_rev() {
pthread_t timethread; // time --> timer function
pthread_t v4; // v4 --> tr2 function
pthread_t v5; // v5 --> tr1 function
pthread_create(&timethread, 0LL, timer, 0LL);
pthread_create(&v5, 0LL, tr1, 0LL);
pthread_create(&v4, 0LL, tr2, 0LL);
usleep(13000000);
printf("----------------- RESULT -----------------\n");
if(!strcmp(j, s))
printf("FLAG --> %s\n", msg);
else {
// int i;
printf("ERROR --> Thats not the flag\n");
printf("Maybe this is what you were searching: ");
solve_me();
printf("\nTry with this one ;)\n");
/*
printf("Array X --> \n");
for(i = 0; i < strlen(x); i++)
printf("0x%02x ", x[i]);
printf("\n");
*/
}
printf("------------------------------------------\n\n");
}
int main(int argc, char *argv[]) {
challenge_rev();
}
#include <stdio.h>
#include "solver.h"
void solve_me() {
const char s[] = {0x91, 0x87, 0xEE, 0xEC, 0x2C, 0x25, 0x21, 0x0E, 0x1B, 0xA5, 0xC0, 0x9C,
0x2E, 0x42, 0xFD, 0xBF, 0x93, 0x96, 0xC1, 0xCE, 0xC6, 0xDF};
const char t_custom[] = {0x74, 0x74, 0x1b, 0x1b, 0xde, 0xde, 0xde, 0xf6, 0xf6, 0x67, 0x67,
0x67, 0x8b, 0x8b, 0x5a, 0x5a, 0x5a, 0x67, 0x67, 0x34, 0x34, 0x34};
char flag[22];
char c, test;
int i;
for(i = 0; i < 22; i++) {
for(c = 0x1; c < 0xff; c++) {
test = (c ^ 22) ^ t_custom[i] ^ 0x80;
if(test == s[i]) {
flag[i] = c;
break;
}
}
}
printf("%s", flag);
}
#ifndef _SOLVER_H_
#define _SOLVER_H_
void solve_me();
#endif
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment